The issue here is that if anyone can, in any way, subvert the application,
then they will have complete control over the machine (for example via SQL
injection, cross-site scripting vulnerability, session replay attack etc).
From there, they will almost certainly be able to, eventually, subvert the
entire domain.

Cheers
Ken


"Paulaner" wrote in message
 news:lsu623hegv5tv144v6r4i50fgoqhsdjhr1@
4ax.com...
>
> We have a web application that uses asp pages and javascript to
> display information to users.  We want the data to be secure, so the
> login page will  redirect http:// users from port 80 to https://  on
> port 443.  We prompt for a username a password, then use an isapi
> filter to authenticate them with our database.
>
> The service team got a report about some trouble with this website, so
> they changed the anonymous account logon from IUSR_computername to a
> local user account in the administrators group.   This has fixed their
> problem, but I am concerned that they just opened a security hole.
>
> The only reference to this issue I can fine in technet is this
> comment:  "If you use an account other than IUSR_computername for
> anonymous access, choose the rights you assign to it very carefully. "
> from http://msdn2.microsoft.com/en-us/library/ms951775.aspx
>
> Can anyone point me to some documentation that says "don't do this",
> or give me some sufficient ammunition to convince them to undo this
> action and appropriately repair the root cause of their issue?

[ Post a follow-up to this message ]